SUBHAM_SHAW_SN
Tera Guru
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
07-03-2025
03:47 AM
Let’s talk about something that’s often misunderstood — and misused — in the ServiceNow platform:
Before Query Business Rules (BQBRs)
At first glance, they seem like a great way to control who sees what. You just add a filter at the query level, and problem solved… right?
Not exactly. In fact, this approach can open up serious security loopholes.
🔍 What Are Before Query Business Rules?
Before Query Business Rules run before a database query is executed. Their main job is to modify the query and narrow down what records are returned.
They’re commonly triggered in:
-
List views
-
Global searches
-
Reference field lookups
So yes — they do control data visibility. But here's the catch:
❌ They're Not Meant for Security
Let’s be very clear:
Before Query Rules are not a replacement for Access Controls (ACLs).
Why? Because they only apply in specific UI scenarios. A user might be restricted in one area, but gain access through another — like dot-walking or reports.
🧪 A Real Example: How Things Can Go Wrong
Imagine this:
Use Case:
Your organization wants to prevent non-admins from seeing inactive users. Instead of setting up ACLs, a developer creates a BQBR that filters out inactive records from sys_user.
Seems fine. But then…
What happens?
-
A non-admin opens a report on incidents (which they’re allowed to see).
-
The report includes a dot-walked field like
caller.active. -
The system follows the reference and pulls in inactive user records.
And just like that — the filter is bypassed. The user sees data they shouldn’t.
⚠️ This Is Why It’s Dangerous
Before Query Rules don’t run in all contexts. They don’t apply:
-
Inside reports
-
Through scripts (e.g. GlideRecord)
-
When dot-walking in certain UI components
If you're relying on BQBRs for security, you're leaving gaps. Big ones.
✅ So… When Can You Use Them?
They’re not all bad — just often misused. Here’s when they can help:
-
✅ Improve user experience by hiding irrelevant records
-
✅ Speed up dropdowns or list views for performance
-
✅ Reduce “security constraints prevent access” errors
But only after your ACLs are properly defined.
🔐 The Right Way to Handle Security
Always, always start with:
-
🔒 ACLs (Access Control Rules)
-
👥 Role-based access
-
⚙️ Data policies and conditions
Use BQBRs as a supporting tool, not the foundation. Think of them as UX helpers — not gatekeepers.
Thanks & Regards,
Subham Kumar Shaw
ServiceNow Architect/Consultant
ServiceNow Community Rising Star ' 2022/2023/2024
- 958 Views
3 Comments
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
